This document provides tips for optimizing a WordPress site for search engine optimization and security. It discusses configuration changes like permalinks and privacy settings. It recommends plugins for SEO like Yoast SEO, pagination, related posts, image optimization, and redirects. It also gives security recommendations like using a theme authenticity checker, keeping installations clean, updating regularly, daily scans, hardening security settings, and file permissions. Tips are provided for maintenance activities like theme testing, debugging, enabling Akismet, and backing up databases and files. The overall document aims to help WordPress site owners optimize their sites for SEO and improve security.

1. WordPress
Optimization and Security
Leeds, September 2012
http://gdig.de/think12
Bastian Grimm, Managing Partner - Grimm Digital

2. About me
 Background: PHP & Java
– Dev. CMS, shops & forums
– Wazap! Game Search Engine
 Online Marketing since 2004
– SEO strategy consulting, in-house
trainings & workshops, WordPress
@basgr
SEO, bla bla…
 Links, Links, Links…need some?
 Stuff to play with…
2

3. Get the Slide-Deck
http://gdig.de/think12
3

4. Credits for facts & graphic: http://yoast.com/wordpress-stats/

5. Credits for facts & graphic: http://yoast.com/wordpress-stats/

6. Section #1: Configuration

7. #1 Settings > PermaLinks
Get rid of those dates
(IDs), they look awful!
/%postname%/

8. #2 Settings > Privacy
Make sure you actually
allow search engine to
access your contents!
8

9. #3 Fix your Themes’ Page Title
Open header.php in your
themes’ folder, search
for “wp_title” – it’s going
be the first match!
<title><?php wp_title(); ?></title>
That’s the ONLY
thing you need!
9

10. Section #2: WordPress SEO

11. #4 WordPress SEO by Yoast 1/9
Make sure to uncheck this!
Enables setting noindex,
canonical & 301 (for users)
on a per-post basis

12. #4 WordPress SEO by Yoast 2/9
You surely don‘t need paged
archives, categories, etc. –
they‘re targeting the same
keys anyways.
Affiliate sites mainly have
pages, no need for RSS.
Check all of them!

13. #4 WordPress SEO by Yoast 3/9
Set proper page title &
description, also choose
author for SERP listing

14. #4 WordPress SEO by Yoast 4/9
Use help section to get
details an all 30+ variables!
Keep unchecked unless
you’re publishing news.
Default value has been
changed w/ last update.

15. In addition: Post-level settings
You can overwrite defaults
on a per-post level using
the “Advanced” settings.
15

16. #4 WordPress SEO by Yoast 5/9
Usually you just need one
(unless having a HUGE
amount of content) –
“noindex” the other one!

17. #4 WordPress SEO by Yoast 6/9
Especially w/ single-authored
blogs, those are a 1:1 copy of
your homepage.
301 is the better solution!

18. #4 WordPress SEO by Yoast 7/9
For larger sites, check to auto-
generate XML sitemaps.
Remember to check excludes!

19. #4 WordPress SEO by Yoast 8/9
Make absolutely sure
you‘re using these!

20. BTW: Clean those URL-Slugs
WP Permalauts
Especially important for
Germany, France, etc.
http://wordpress.org/extend/plugins/wp-permalauts/

21. #4 WordPress SEO by Yoast 9/9

22. Trust me… things change!
Check out SEO data transporter
to switch SEO plug-ins!
22

23. Migration made easy: Painless switching!
SEO Data Transporter
http://wordpress.org/extend/plugins/seo-data-transporter/

24. Section #3: Plug-ins
24

25. Make absolutely sure
you only use plug-ins
from trusted authors!

26. #5 Fix your Pagination
Better crawl-ability, better WP-PageNavi
indexation – what else u want?
WordPress pagination
s*cks, replace it!
http://wordpress.org/extend/plugins/wp-pagenavi/

27. #6 Improve internal Cross-Linking
Yet Another Related
Posts Plugin
http://wordpress.org/extend/plugins/yet-another-related-posts-plugin/

28. #7 Auto-optimize Image Attributes
SEO Friendly Images
Forces post title &
image name to be used
as img alt-attribute
http://wordpress.org/extend/plugins/seo-image/

29. #8 Redirect old Contents
Redirection
http://wordpress.org/extend/plugins/redirection/

30. #9 Mask your Affiliate Links
Eclipse Link Cloaker
http://eclipsecloaker.com/

31. Don’t forget to tweak your robots.txt
We don‘t want some WP
User-Agent: * specific files & folders
Disallow: /wp-admin/
Disallow: /feed/
Disallow: /comments/feed/
Disallow: /*/trackback/$
Disallow: /*/feed/$
Disallow: /*.css$ Adjust according to your
Disallow: /*.js$
Disallow: /r/
Link Cloaker settings.
31

32. #10 Have Rich-Snippets if possible
Schema Creator
http://wordpress.org/extend/plugins/schema-creator/

33. Section #4: Security

34. #11 Never EVER do this!
These sites are
more than worse…

35. A quick peak into some theme files…
LOL! „family friendly“
links – my a*s…
35

36. A quick peak into some theme files…
functions.php: This theme
won‘t be working without
those links…
36

37. #12 Always use TAC to do a pre-check!
Theme Authenticity
Checker (TAC)
http://builtbackwards.com/projects/tac/

38. It get’s worse: base64 encoded footer
Are you really sure you want
to see that footer.php file?
38

39. Right… NICE FOOTER!
39

40. If you are REALLY curious…
 http://ottodestruct.com/decoder.php
 http://www.tareeinternet.com/scripts/byterun.php
 http://www.tareeinternet.com/scripts/decrypt.php
 http://rot13-encoder-decoder.waraxe.us/
The PHP code isn’t “really”
encrypted, rather kind of obfuscated.
Reversing is possible!

41. PLEASE… stay away
from “free” WordPress
themes – they’re not
free, really!

42. #13 Keep your installation clean
Remove all non-active
plug-ins as well as themes!
42

43. #14 Do updates regularly!
 WP Updates Notifier to get emails
on out-dated components (core,
themes & plug-ins) for all blogs:
– http://wordpress.org/extend/plugins
/wp-updates-notifier/
 ManageWP can do one-click mass
updates (core, themes, plug-ins
again) for all your blogs:
– http://managewp.com/features

44. #15 Daily scan your Theme
WP AntiVirus
http://wordpress.org/extend/plugins/antivirus/

45. #16 Harden your Security Settings
Secure WordPress
Most important: Remove version
number from ALL components &
block malicious URL requests.
http://wordpress.org/extend/plugins/secure-wordpress/

46. #17 Protect wp-admin by .htaccess
Put an .htaccess to your
/wp-admin/ for basic
passwd. protection.
You can also try the “Lockdown WP
Admin” plug-in to protect PHP files in
wp-admin as well as the login itself.
http://wordpress.org/extend/plugins/lockdown-wp-admin/

47. #18 Fix File & Folder Permissions
WP-Security Scan
Very important: chmod your
wp-config.php to be read-only!
http://wordpress.org/extend/plugins/wp-security-scan/

48. Section #5: Maintenance
48

49. #19 Do a Theme Test Drive
Live-Testing a new theme
without anyone else
noticing… nice!
http://wordpress.org/extend/plugins/theme-test-drive/

50. #20 Debug your WordPress #1
P3 (Plugin Perf. Profiler)
http://wordpress.org/extend/plugins/p3-profiler/

51. #20 Debug your WordPress #1
http://wordpress.org/extend/plugins/p3-profiler/

52. #20 Debug your WordPress #1
http://wordpress.org/extend/plugins/p3-profiler/

53. #20 Debug your WordPress #1
http://wordpress.org/extend/plugins/p3-profiler/

54. #21 Debug your WordPress #2
Debug Objects
http://wordpress.org/extend/plugins/debug-objects/

55. #22 Enable Akismet
Just enable, get an API key
and turn „auto-delete“ on!

56. #23 Backup Database & Files
BackWPup
http://wordpress.org/extend/plugins/backwpup/

57. #24 Watch out for Errors
 Knowledge is power
 Use a 404 logger
– Analytics software
– Redirection (built-in)
– Webserver logs
 Setup 301 redirects
accordingly using
“Redirection”, again.
Image-Credits: http://gdig.de/i

58. #25 Maintain Categories & Tags
Term Mgmt. Tools
Mass merge &
change parents
http://wordpress.org/extend/plugins/term-management-tools/

59. Section #6: Performance

60. GWT Site Performance Info
This is really not so good…!
60

61. Scoring domains by
performance; check it out!
https://developers.google.com/pagespeed/

62. #26 Compress those Images
13.2% savings WP Smush.it
for one image!
http://wordpress.org/extend/plugins/wp-smushit/

63. Or try this one - if you don’t like Yahoo…
Run‘s awesome CW Image
image optimization Optimizer
but requires Unix
„littleutils“
http://wordpress.org/extend/plugins/cw-image-optimizer/

64. #27 Setup a Caching Plug-in
W3 Total Cache
http://wordpress.org/extend/plugins/w3-total-cache/

65. #28 Combine multiple CSS files
 Combine CSS files into one to
reduce the number of HTTP requests
 Minify the big file by removing white-
spaces, etc. to reduce file size per request
– Check: W3Total > Performance > Minify!
 Same goes for JavaScript as well… and put those
JS files into the footer, if possible!
65

66. #29 Do CSS-Sprites
http://spriteme.org/

67. #30 Off-load JS-Libs
WP Use Google Libraries
Simply enable the plug-in &
serve JS libs from Google‘s CDN!
http://wordpress.org/extend/plugins/use-google-libraries/

68. Section #7: Scale that Sh*t!

69. WordPress + Cloning Installations
1. Setup WP w/ optimized settings
– Permalinks, Plug-ins, Settings, etc.
2. Use Xcloner to multiply setup
– Easier vs. re-doing 1/ over & over again
3. Use ManageWP for maintenance
– Perfect mass management solution
4. Or: Update using browser favorites
– Just replace hostnames in your list
69

70. Maybe give xMarkPro a try?
Looks very promising…
But I didn’t find the time to test it
in full detail yet, Sorry.
http://xmarkpro.com/

71. WordPress + Multisites
1. Use default WordPress and install
2. Edit wp-config.php:
– define('WP_ALLOW_MULTISITE', true);
3. Install WP “MU Domain Mapping”
– Copy “sunrise.php” to “wp-content”
4. Edit wp-config.php, again:
– define('SUNRISE', 'on');
Bonus: “Clone Sites for WPMU“
http://codex.wordpress.org/Create_A_Network

72. OMCap 2011 - Online Marketing Konferenz Berlin
And that’s it! …
13.10.2011
Wait, still not enough? 72

73. Section #8: wp-config.php Tweaks

74. How to do it?
Just find this
beast…
… don’t use this
piece of sh*t…
… and put directives
before here!

75. Moving the “wp-content” folder
define('WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'].'/blog/my-wp-content');
WP_CONTENT_DIR points to “new”
the full local path (no trailing slash)
define('WP_CONTENT_URL', 'http://domain.com/blog/my-wp-content');
WP_CONTENT_URL points to “new”
full URI (no trailing slash either)

76. Auto-saving & Revision-handling
define('AUTOSAVE_INTERVAL', 160 );
WP uses Ajax to auto-save revisions
to the post as you edit. Change the
interval if necessary (default=60)
define('WP_POST_REVISIONS', 3);
… or (not recommended):
define('WP_POST_REVISIONS', false); Limit WP to create a maximum
number of revisions per post
using WP_POST_REVISIONS

77. SSL Logins & Administration
define('FORCE_SSL_LOGIN', true);
Set FORCE_SSL_LOGIN to “true” to
force all logins to happen over SSL.
(still allows non-SSL admin sessions)
define('FORCE_SSL_ADMIN', true);
Use FORCE_SSL_ADMIN to force all
logins and all admin sessions to
happen over SSL (can be slow…)

78. Enable DB Auto-Repair
Go edit „wp-config.php“
and add this line – easy!
define('WP_ALLOW_REPAIR', true);
Afterwards, you need to call the repair script manually:
http://example.com/wp-admin/maint/repair.php

79. OMCap 2011 - Online Marketing Konferenz Berlin
Finally! …
13.10.2011
Well, well… one more! 79

81. Thanks! Questions?
mail@grimm-digital.com
twitter.com/basgr
linkedin.com/in/bastiangrimm
facebook.com/grimm.digital
http://gdig.de/think12
Bastian Grimm, Managing Partner - Grimm Digital